summaryrefslogtreecommitdiff
path: root/docs/apxB-examples.rst
diff options
context:
space:
mode:
authorChristian Poessinger <christian@poessinger.com>2018-10-05 21:35:16 +0200
committerChristian Poessinger <christian@poessinger.com>2018-10-05 21:35:16 +0200
commit82d70154334cfceff0f2940f978f0205265ceaad (patch)
tree8087b315d640c67e14f44025f428d267526c8048 /docs/apxB-examples.rst
parent6446103b120dbd43cc1cf0886355f74d5a5fc2b5 (diff)
downloadvyos-documentation-82d70154334cfceff0f2940f978f0205265ceaad.tar.gz
vyos-documentation-82d70154334cfceff0f2940f978f0205265ceaad.zip
Add Appendix B with a Cisco DMVPN example
Diffstat (limited to 'docs/apxB-examples.rst')
-rw-r--r--docs/apxB-examples.rst105
1 files changed, 105 insertions, 0 deletions
diff --git a/docs/apxB-examples.rst b/docs/apxB-examples.rst
new file mode 100644
index 00000000..f5629349
--- /dev/null
+++ b/docs/apxB-examples.rst
@@ -0,0 +1,105 @@
+Appendix 1 - Configuration Examples
+===================================
+
+VyOS DMVPN Hub
+--------------
+
+General infomration can be found in the DMVPN_ chapter.
+
+Configuration
+^^^^^^^^^^^^^
+
+.. code-block:: sh
+
+ set interfaces tunnel tun100 address '172.16.253.134/29'
+ set interfaces tunnel tun100 encapsulation 'gre'
+ set interfaces tunnel tun100 local-ip '11.22.33.44'
+ set interfaces tunnel tun100 multicast 'enable'
+ set interfaces tunnel tun100 parameters ip key '1'
+
+ set protocols nhrp tunnel tun100 cisco-authentication '<nhrp secret key>'
+ set protocols nhrp tunnel tun100 holding-time '300'
+ set protocols nhrp tunnel tun100 multicast 'dynamic'
+ set protocols nhrp tunnel tun100 redirect
+ set protocols nhrp tunnel tun100 shortcut
+
+ set vpn ipsec esp-group ESP-HUB compression 'disable'
+ set vpn ipsec esp-group ESP-HUB lifetime '1800'
+ set vpn ipsec esp-group ESP-HUB mode 'tunnel'
+ set vpn ipsec esp-group ESP-HUB pfs 'dh-group2'
+ set vpn ipsec esp-group ESP-HUB proposal 1 encryption 'aes256'
+ set vpn ipsec esp-group ESP-HUB proposal 1 hash 'sha1'
+ set vpn ipsec esp-group ESP-HUB proposal 2 encryption '3des'
+ set vpn ipsec esp-group ESP-HUB proposal 2 hash 'md5'
+ set vpn ipsec ike-group IKE-HUB ikev2-reauth 'no'
+ set vpn ipsec ike-group IKE-HUB key-exchange 'ikev1'
+ set vpn ipsec ike-group IKE-HUB lifetime '3600'
+ set vpn ipsec ike-group IKE-HUB proposal 1 dh-group '2'
+ set vpn ipsec ike-group IKE-HUB proposal 1 encryption 'aes256'
+ set vpn ipsec ike-group IKE-HUB proposal 1 hash 'sha1'
+ set vpn ipsec ike-group IKE-HUB proposal 2 dh-group '2'
+ set vpn ipsec ike-group IKE-HUB proposal 2 encryption 'aes128'
+ set vpn ipsec ike-group IKE-HUB proposal 2 hash 'sha1'
+ set vpn ipsec ipsec-interfaces interface 'eth0'
+
+ set vpn ipsec profile NHRPVPN authentication mode 'pre-shared-secret'
+ set vpn ipsec profile NHRPVPN authentication pre-shared-secret '<secretkey>'
+ set vpn ipsec profile NHRPVPN bind tunnel 'tun100'
+ set vpn ipsec profile NHRPVPN esp-group 'ESP-HUB'
+ set vpn ipsec profile NHRPVPN ike-group 'IKE-HUB'
+
+Cisco IOS Spoke
+^^^^^^^^^^^^^^^
+
+This example is verified with a Cisco 2811 platform running IOS 15.1(4)M9 and
+VyOS 1.1.7 (helium) up to VyOS 1.2 (Crux).
+
+.. code-block:: sh
+
+ Cisco IOS Software, 2800 Software (C2800NM-ADVENTERPRISEK9-M), Version 15.1(4)M9, RELEASE SOFTWARE (fc3)
+ Technical Support: http://www.cisco.com/techsupport
+ Copyright (c) 1986-2014 by Cisco Systems, Inc.
+ Compiled Fri 12-Sep-14 10:45 by prod_rel_team
+
+ ROM: System Bootstrap, Version 12.3(8r)T7, RELEASE SOFTWARE (fc1)
+
+Use this configuration on your Cisco device:
+
+.. code-block:: sh
+
+ crypto pki token default removal timeout 0
+ crypto keyring DMVPN
+ pre-shared-key address 1.2.3.4 key <secretkey>
+ !
+ crypto isakmp policy 10
+ encr aes 256
+ authentication pre-share
+ group 2
+ !
+ crypto isakmp invalid-spi-recovery
+ crypto isakmp keepalive 30 30 periodic
+ crypto isakmp profile DMVPN
+ keyring DMVPN
+ match identity address 11.22.33.44 255.255.255.255
+ !
+ crypto ipsec transform-set DMVPN-AES256 esp-aes 256 esp-sha-hmac
+ mode transport
+ !
+ crypto ipsec profile DMVPN
+ set security-association idle-time 720
+ set transform-set DMVPN-AES256
+ !
+ interface Tunnel10
+ description Tunnel to DMVPN HUB
+ ip address 172.16.253.129 255.255.255.248
+ no ip redirects
+ ip nhrp authentication <nhrp secret key>
+ ip nhrp map multicast 11.22.33.44
+ ip nhrp map 172.16.253.134 11.22.33.44
+ ip nhrp network-id 1
+ ip nhrp holdtime 600
+ ip nhrp nhs 172.16.253.134
+ ip nhrp registration timeout 75
+ tunnel source Dialer1
+ tunnel mode gre multipoint
+ tunnel key 1